President Joe Biden has ordered U.S. intelligence agencies to investigate the sophisticated ransomware attack that has ensnared more than 1,000 companies worldwide, he told reporters on Saturday during a trip to Michigan to promote his infrastructure package.
In what is shaping up to be one of the largest ransomware attacks in history, the hackers hijacked a widely used management software from the international IT firm Kaseya to push out a “malicious update” to deploy its malware “to companies across the world,” the Record reports.
“We’re not certain” who is behind Friday’s attack, Biden said. “The initial thinking was it was not the Russian government but we’re not sure yet.” He added that the U.S. would respond if it determines that Russia is to blame.
The culprit is suspected to be REvil, a notorious cybercriminal syndicate believed to have ties to Russia that’s previously gone after high-profile targets such as Apple and Acer, according to the security firm Huntress Labs. The group is also believed to be behind last month’s successful attack on the world’s largest meat processing company, JBS, that extorted $11 million in ransom.
On Friday, Kaseya warned customers to shut down their VSA servers immediately after discovering a security incident involving the software. Kaseya uses its VSA cloud platform to manage and send software updates to network devices of its clientele, i.e. managed service providers or MSPs that then supply remote IT services to hundreds of smaller businesses that aren’t able to conduct those processes in-house.
The exact mechanics and scope of the attack are still being uncovered, but security experts believe the hackers exploited Kaseya’s VSA product to spread malware and encrypt the files of those providers’ customers. Kaseya CEO Fred Voccola said in an update on Friday that the company believes it has found the source of the vulnerability and plans to release a patch “as quickly as possible to get our customers back up and running.” At the time, he said fewer than 40 of Kaseya’s customers were known to be affected.
However, considering how many of those customers are likely to be MSPs, that could translate to hundreds of smaller businesses that rely on their services being at risk. Huntress, which has been publicly tracking the attack, said via Reddit that it has identified more than 1,000 businesses whose servers and workstations were encrypted as a result of the attack. One suspected victim of the breach, the Sweden-based retailer Coop, closed down at least 800 stores over the weekend after its systems were taken offline, the New York Times reports. Huntress senior security researcher John Hammond told the outlet that the hackers were demanding $5 million in ransom from some of the affected companies.
“This is a colossal and devastating supply chain attack,” Hammond later said in a statement to Reuters. Supply chain attacks, in which hackers exploit a single piece of software to target hundreds or even thousands of users simultaneously, are quickly becoming the technique de jour for high-profile cybercriminals. The SolarWinds hackers used a similar scheme to infect network management software used by several major U.S. federal agencies and corporations.
In an update posted to Kaseya’s blog Sunday morning, the company said it is working with the FBI and the Cybersecurity and Infrastructure Security Agency to address the situation and affected customers.
“We are in the process of formulating a staged return to service of our [software as a service] server farms with restricted functionality and a higher security posture (estimated in the next 24-48 hours but that is subject to change) on a geographic basis,” the company wrote. “More details on both the limitations, security posture changes, and time frame will be in the next communique later today.”
Kaseya added that it has rolled out a new “compromise detection tool” to almost 900 customers who requested it, and is in the process of developing a private download site to provide access to more customers.